from the good-luck-with-that dept

Germany has had perhaps the hardest time coming to terms with Edward Snowden's revelations of massive spying by the US and its Five Eyes allies. On the one hand, Germans are acutely sensitive to surveillance because of their country's recent history, giving rise to some of the strongest public reactions against US spying amongst any nation. On the other hand, the German government has doubtless benefitted from information gathered by the US, and is therefore reluctant to complain too much about the NSA's activities.

German newsmagazine Der Spiegel said that the German Foreign Office has been systematically contacting consular authorities from every foreign nation located in Germany. In each case, the foreign consular representatives have been issued formal requests to release "through official diplomatic channels" an exhaustive list of names of their intelligence operatives operating in Germany under diplomatic cover.

Of course, there's no way of knowing whether a country has fully complied with that request, since by definition the spies are currently secret. Well, most of them are; as the post on Intelnews.org quoted above points out:

A small number of these intelligence officers voluntarily make their presence known to the corresponding intelligence agency of their host country, and are thus officially declared and accredited with the government of the host nation. They typically act as points-of-contact between the embassy and the intelligence agency of the host nation on issues of common concern requiring cross-country collaboration or coordination. But the vast majority of intelligence personnel stationed at a foreign embassy or consulate operate without the official knowledge or consent of the host country. Governments generally accept this as a tacit rule in international intelligence work, which is why Berlin's move is seen as highly unusual.

I imagine many countries will simply add a few more names to the list of intelligence officers that they officially acknowledge as a token measure of compliance, and will then go back to spying with the rest (or just bring in some new ones that they don't declare.) All-in-all, this seems yet another move designed to prove to German citizens that their government is "taking things seriously", and "doing something", while at the same time ensuring that the "something" is largely ineffectual and doesn't harm their relationship with the US.

from the hey,-look-over-there! dept

Even as more and more examples of questionable surveillance by the US government are revealed, the US is apparently still trying its "hey, look over there!" strategy in response. This morning, Attorney General Eric Holder is announcing that the US has filed meaningless criminal charges against members of the Chinese military for economic espionage done via the internet.

Of course, there's no chance of any actual prosecution happening here. If anything this is all just a bit of diplomatic showmanship. In fact, I wouldn't be surprised to quickly see China respond in kind with "criminal charges" being announced against folks from the NSA for the various spying that they've done on China. US officials will, as they always do, insist that what the People's Liberation Army does is "different" because it's economic espionage, in which the Chinese army breaks into networks from certain industries and companies, and shares the details with Chinese companies. The US does not appear to do the same thing directly, though there are indications of indirect economic espionage (i.e., spying on companies to then inform general US policy that might help US companies). The Chinese have (quite reasonably) questioned how there's a legitimate distinction between the different kinds of espionage.

Either way, at a time when the US is under intense scrutiny for its questionable espionage efforts, including installing backdoors into US networking equipment (which is what they've accused the Chinese of doing repeatedly, despite no actual evidence), filing criminal charges against the Chinese for cyberspying... just looks really sad. It stinks of hypocrisy.

The agency pried its way into the servers in Huawei’s sealed headquarters in Shenzhen, China’s industrial heart, according to N.S.A. documents provided by the former contractor Edward J. Snowden. It obtained information about the workings of the giant routers and complex digital switches that Huawei boasts connect a third of the world’s population, and monitored communications of the company’s top executives.

One of the goals of the operation, code-named “Shotgiant,” was to find any links between Huawei and the People’s Liberation Army, one 2010 document made clear. But the plans went further: to exploit Huawei’s technology so that when the company sold equipment to other countries — including both allies and nations that avoid buying American products — the N.S.A. could roam through their computer and telephone networks to conduct surveillance and, if ordered by the president, offensive cyberoperations.

Much of this is unsurprising. The government has long held (even though it has failed to produce any proof) that Huawei is used by the Chinese government to spy on other countries via subverted hardware, so it would make sense for the NSA to have the company under surveillance. But what's happening here seems to exceed the bounds of defensive surveillance and head into corporate espionage territory.

[T]he articles make it clear that 3 years after they started this targeted program, SHOTGIANT, and at least a year after they gained access to the emails of Huawei’s CEO and Chair, NSA still had no evidence that Huawei is just a tool of the People’s Liberation Army, as the US government had been claiming before and since. Perhaps they’ve found evidence in the interim, but they hadn’t as recently as 2010.

Nevertheless the NSA still managed to steal Huawei’s source code. Not just so it could more easily spy on people who exclusively use Huawei’s networks. But also, it seems clear, in an attempt to prevent Huawei from winning even more business away from Cisco.

I suspect we’ll learn far more on Monday. But for now, we know that even the White House got involved in an operation targeting a company that threatens our hegemony on telecom backbones.

If there's been no evidence uncovered that Huawei equipment is being deployed with Chinese government-friendly backdoors, then the NSA is engaged in self-serving corporate espionage, one that keeps Cisco -- and consequently, the NSA -- in wide circulation.

Even if you believe this is exactly the sort of thing our intelligence agencies should be doing, it's hard to ignore the inherent hypocrisy of the government's words and actions. Even Jack Goldsmith, who has previously argued that the US needs an "invasive NSA," had this to say about the latest leak.

The Huawei revelations are devastating rebuttals to hypocritical U.S. complaints about Chinese penetration of U.S. networks, and also make USG protestations about not stealing intellectual property to help U.S. firms’ competitiveness seem like the self-serving hairsplitting that it is.

While the revelations that the NSA is surveilling a foreign company deemed untrustworthy by government officials are hardly surprising, the whole situation is tainted by the US government's hardline against Huawei. Many accusations have surfaced over the last decade but have remained unproven, even as the US government has locked Huawei out of domestic contracts and persuaded other countries to seek different vendors. This isn't passive monitoring being deployed to detect threats. This is an active invasion of a private company's internal network in order to subvert its hardware and software, all of which will likely benefit its largest competitor, either directly or indirectly. The NSA isn't Cisco's personal army, but their mutual goals (widespread Cisco deployment) are so closely aligned, the agency might as well be.

If the NSA has found any evidence that Huawei is operating on behalf of the Chinese government, now would be the time to make that information public. With Michelle Obama's goodwill tour of China underway, it's hardly beneficial for our surveillance hypocrisy to be on display (again).

The Times reports, “There is no evidence that the N.S.A. has implanted its software or used its radio frequency technology inside the United States.” And an NSA spokeswoman, Vanee Vines, says, “N.S.A.’s activities are focused and specifically deployed against — and only against — valid foreign intelligence targets in response to intelligence requirements.”

So what is the redeeming social value of the story? What “abuse” is being revealed? What threat to American civil liberties has been exposed here? Why is this something the public needs to know?

The answers are: None. None. None. And it isn’t.

As he sees it, revealing this allows terrorists to alter their hardware habits to further avoid surveillance. The American public, however, is supposedly completely unaffected, at least according to the New York Times' conclusions and an NSA spokeswoman's statement. Whether or not one agrees with Thiessen's claim that there's nothing here that warrants exposure to the general public, where he goes next is just completely wrong.

As one former senior intelligence official told me recently, stories like this are nothing more than “espionage porn.” They serve no greater social purpose than to titillate.

And the man behind so many of these revelations, Edward Snowden, is nothing more than the Larry Flynt of the intelligence world – a shameless espionage pornographer.

Except for one big difference: pornography is legal. Sharing America’s espionage secrets is a crime.

"Espionage porn" is a nifty catchphrase and some leaks have been less "revealing" than others. But to label Snowden an "espionage pornographer" makes two assumptions -- one of them questionable and the other laughable. To call Snowden's leaks "espionage" rather than whistleblowing is to buy into the NSA's and the administration's stance. There's plenty of gray area between those two terms and sometimes what the government pursues as "illegal" is nothing more than inconvenient. (See also: the panic proceeding Manning's leaks and the multiple deaths and diplomatic fallout that failed to occur.)

Pinning this particular release on Snowden and painting him as a "pornographer" is willful ignorance in search of a tantalizing pull quote. Snowden isn't guiding the release of these leaks. The entities he turned the documents over to are. If anyone's a "espionage pornographer," it's the New York Times -- the outlet that decided to publish these documents. If Thiessen wants to argue this release serves no greater interest than "titillating" the public, fine. But don't pin it on the guy who isn't making editorial decisions.

Amnesty? Have they lost their minds? Snowden is a traitor to his country, who is responsible for the most damaging theft and release of classified information in American history. His actions have exposed not only the NSA terrorist surveillance programs, but our intelligence collection efforts against foreign governments, including Russia and China. He has aided our enemies, shared intelligence with potential adversaries, and has damaged our ability to defend against future terrorist attacks. Maybe we offer him life in prison instead of a firing squad, but amnesty? That would be insanity.

Almost everything Thiessen says here is debatable, at best. "Aided our enemies" is just a talking point used to justify espionage charges. Little evidence exists that our enemies are in a better position to harm us than they were pre-leaks.

"Sharing" documents with "potential adversaries" sounds worse than it is. Any public release of these documents would "share" with "potential adversaries." That's the nature of publication. Anyone (excluding certain government employees) can read it. And that's a whole lot of speculation to pack into one short sentence. How can anyone logically worry about "potential" adversaries, especially when the US seems to have plenty of existent adversaries.

And the last part -- "damaged our ability to defend against future terrorist attacks" -- is just ridiculous. Even the NSA itself is having trouble coming up with examples of how its programs have averted attacks. The longer this goes on, the weaker these arguments become.

Thiessen doesn't care for Snowden or his leaks. That's fine. He disagrees with others about what is or isn't "public interest." Again, that's a matter of opinion. (Although, given his general stance on Snowden, I'm of the opinion that no document that has been released meets his standard for "public interest," at least not if weighed against all the speculative "damage" it does to national security.) But when he blames Snowden for a New York Times' editorial decision, he's just taking a cheap swing at the target he likes least.

from the can't-take-the-heat dept

It's no secret that big companies, especially the giant multinationals, often have very advanced corporate espionage teams (sometimes staffed by former government spooks). The practices can sometimes be extreme and problematic, like when HP used its corporate espionage team to spy on board members and journalists. However, it seems that with the rise of consumer interest groups and very effective activists, many of these giant companies are using their corporate espionage team to spy on those non-profits and activists instead.

Many of the world’s largest corporations and their trade associations — including the U.S. Chamber of Commerce, Walmart, Monsanto, Bank of America, Dow Chemical, Kraft, Coca-Cola, Chevron, Burger King, McDonald’s, Shell, BP, BAE, Sasol, Brown & Williamson and E.ON – have been linked to espionage or planned espionage against nonprofit organizations, activists and whistleblowers.

Many different types of nonprofit organizations have been targeted with corporate espionage, including environmental, anti-war, public interest, consumer, food safety, pesticide reform, nursing home reform, gun control, social justice, animal rights and arms control groups.

Corporations and their trade associations have been linked to a wide variety of espionage tactics against nonprofit organizations. The most prevalent tactic appears to be infiltration by posing a volunteer or journalist, to obtain information from a nonprofit. But corporations have been linked to many other human, physical and electronic espionage tactics against nonprofits. Many of these tactics are either highly unethical or illegal.

The full report includes plenty of examples, including the famous HBGary Federal/Hunton & Williams/Bank of America attempt to infiltrate Anonymous (and Wikileaks). It also includes stories about Stratfor, Monstanto and others. There was one example in there that I was unaware of, involving the giant pharmaceutical lobbying group PhRMA trying to spy on Jamie Love and Knowledge Ecology International. Love is a friend and KEI has done amazing work in informing the world about dangerous efforts by PhRMA and others to use international trade agreements to push through rules and laws that harm the public around both copyright and patent issues. So, perhaps it's not a surprise that they'd spy on him, but it's still quite troubling. The same report notes that a bunch of others, including Microsoft, hired another company closely associated with former IP czar Victoria Espinel to try to spy on Love and KEI:

Shortly after the passage of the Affordable Care Act, Love says he received a visit in his
offices from a man who said he was recently let go from his job at Pharmaceutical Research
and Manufacturers of America (PhRMA). “He said his job involved monitoring what I was
doing, every day.” Love said. “He told me that PhRMA had hired a private investigator to
investigate us, from the West Coast.” Separately, from 2007 to 2008, Love says that PhRMA
and some companies in the copyright sector funded efforts to investigate the sources of
funding for NGOs working on intellectual property issues, and to press those foundations to
end their support of consumer advocacy.

Around 2008 or 2009, General Electric, Microsoft, Pfizer and other firms funded an effort
by the National Foreign Trade Council (NFTC) to provide intelligence on NGOs working on
intellectual property issues. Love says, “They approached someone we knew, with a
proposal to provide information on Knowledge Ecology International and other NGOs
working on intellectual property issues, as part of a program to counter NGO advocacy
efforts on behalf of consumers.” Eventually, Love says, the NFTC contracted with the
Romulus Global Issues Management, an “international policy consultancy” that advises
“several members of the Fortune 100.” The managing partner of Romulus is John Stubbs,
whose wife is Victoria A. Espinel, a former Romulus employee. Espinel was U.S. Intellectual
Property Enforcement Coordinator (IP czar) for the Obama administration, and is currently
the CEO and President of the Business Software Alliance (BSA).

This is really playing dirty. While these companies may not appreciate what public interest groups like KEI do, digging into their activities and spying on them seems to go way beyond reasonable.

from the everything-else-is-a-distraction dept

We recently wrote about how Kurt Eichenwald's bizarre and irrational deference to his friends in the security state led him to claim that Ed Snowden is a Chinese spy, whose work was specifically designed to aid China in its attempts to attack the internet. The level of cognitive dissonance to make such an argument is quite stunning. Thankfully, most people seemed to see right through the insanity. In the meantime, over at The Guardian, John Kampfner has what might be considered the much more accurate version of the same story. It notes how the knowledge of the NSA's activities have played right into Russia and China's hands concerning their efforts to gain greater control over the internet:

Slowly but surely governance of the internet is moving from the existing mishmash of institutions and into the hands of national governments. The Chinese call this "cyber autonomy".

Authoritarian regimes are showing ever-greater confidence in restricting information, filtering, blocking, monitoring and punishing anyone who steps over the mark.

And, yes, the knowledge of what the US is doing is giving the Chinese, Russians and plenty of others greater confidence to push for their own agenda. Amazingly, and in a sad statement on the state of the US government today, the report notes that a Chinese official recently argued:
At the recent IGF in Indonesia the Chinese were, for the first time, out in force. One "expert" offered to explain to a US state department official why US human rights standards are not up to scratch and how China could help.
This is, certainly, all just political posturing from a country that has a dreadful human rights record, but as we've noted plenty of times, the loss of any semblance of a moral high ground by the US on human rights has serious consequences. But unlike Eichenwald, Kampfner doesn't blame the messenger. Instead he puts the blame squarely where it belongs -- on the US government for its activities.

American dominance of the internet is being challenged on several fronts. The Obama administration and its spooks only have themselves to blame.

Except, of course, they're using compliant mouthpieces like Eichenwald to, instead, try to blame the messenger. Nothing is going to get fixed here until the current leadership either takes responsibility or is replaced in office by those who will take responsibility.

from the good-luck-with-that dept

And the attempts to tar and feather Ed Snowden continue. The latest is that famed reporter Kurt Eichenwald, who started attacking Ed Snowden months ago, has written up a long speculative article for Newsweek arguing that Ed Snowden has "escalated the cyber war" by giving China the necessary cover it needs to avoid reining in its own cyber attacks. There are a lot of words in the piece -- in usual Eichenwald fashion -- which just add flowery language around the basic point:

"Snowden changed the argument from one of 'The Chinese are doing this, it's intolerable' to 'Look, the U.S. government spies, so everybody spies,' '' says Richard Bejtlich, chief security officer at Mandiant, the firm that linked hacking intrusions in America to the Chinese military. "Of course the U.S. spies, but none of what the U.S. is doing is benefiting American business, and pretty much everything the Chinese are doing is benefiting Chinese businesses."

That is, if you follow the bizarre logic here, without Snowden, Eichenwald believes that the US would have somehow convinced the Chinese to stop their cyber attack program. And, now because of Snowden, the Chinese can ignore that effort, by pointing out that the US is doing a ton of online hacking too. This is ludicrous on multiple levels. First: the idea that China would actually back off of its online efforts is simply not based in reality. They're going to attack and they're gong to keep attacking. Second, there's the idea that it's Snowden's fault that China now has this excuse not to stop hacking. It wasn't Snowden who made the decision to have the NSA overreach in its operations. That's on the US government -- but in Eichenwald's mind (fed heavily by US intelligence community employees) -- the US government can do no wrong and its spying is "different" than Chinese activities, because it's for good reasons.

Of course, this is the same excuse that defenders of bad state behavior always use. In fact, it's the same excuse that the Chinese use for many of their own online activities -- such as the Great Firewall of China, which they don't see as censorship, but providing a better internet.

Again, nearly everything about that statement is ridiculous. He didn't "leave all of the documents in Hong Kong." He provided heavily encrypted versions to a very small number of journalists, and then got rid of the files himself. Eichenwald takes that to mean he "left" them in Hong Kong, based on nothing, and all of this apparently means that Snowden is working for the Chinese (even though he left China pretty quickly).

Of course, all of this is coming out even as more and more officials around the world, including in the US, are recognizing how important the Snowden leaks have been in showing the nature of how the NSA has gone way beyond what it's supposed to be doing. It really feels like Eichenwald's piece is just a last gasp effort by his friends in the intelligence community to try to tar and feather Snowden rather than take responsibility for their own activities.

from the says-a-lot dept

Another day, another foreign country realizing that the NSA is spying on its leadership. This time around, it's Germany, where Chancellor Angela Merkel, alerted to the possibility by reporters working on Snowden documents for Spiegel, called President Obama to confront him about evidence that the NSA was monitoring her mobile phone calls.

During her conversation with Obama, Merkel expressed her expectation that "US authorities would provide an explanation about the possible extent of such surveillance practices, and thus answer questions that the German government already posed months ago," Seibert said.

"As a close ally of the United States of America, the German government expects a clear contractual agreement on the activities of the agencies and their cooperation," he added.

Of course, as with similar revelations recently concerning Brazil, France and Mexico, none of this should really be all that surprising. Spying agencies spy on top elected officials and bureaucrats in other countries all the time. It's what they do. A lot of the reaction to getting caught is just political theater. It's embarrassing, but not nearly as big a deal as governments spying on citizens. That said, the amusing bit is this:

"The President assured the Chancellor that the United States is not monitoring and will not monitor the communications of Chancellor Merkel."

Oh, and this:

The spokeswoman did not wish to specify whether this statement applied to the past.

Yup. Genius move by the White House spin doctors there. Say we're not monitoring and won't in the future, calling that much more attention to the question of "in the past" and then refuse to make any statements about that.

from the all-the-same dept

Many in the press still seem to have difficulty recognizing that a whistleblower, even one disliked by the government, isn't somehow an automatic pariah to society. Instead, they like to lump them in with actual law breakers. Here are two recent examples. First up is the Washingtonian, who seems to think that Ed Snowden and Chelsea Manning should be viewed in the same light as actual spies -- people who famously chose to sell secrets to our enemies or to help those enemies against the US. Lumping Manning and Snowden in with Julius and Ethel Rosenberg, Benedict Arnold, Aldrich Ames, John Walker Lindh and others suggests a profound misunderstanding of what Snowden and Manning did: releasing evidence of significant wrongdoing by the US government to the press. You would think if anyone could understand it, it should be the press.

Still, I can understand how some confused people still want to argue that there's at least a continuum between some of those folks and Manning and Snowden -- even if I disagree wholeheartedly -- simply because of the releasing of classified information. I think it's very different to give that info to the press, which is then able to go through it and report on the stories (as both Snowden and Manning did) than giving it to a foreign power, but some people don't seem to get that distinction.

Yes, the argument they're making is that these are all examples of "missed signals in our government-clearance system." And we've certainly discussed how terrible the process is for getting top secret clearance these days. But, even so, lumping those four together is crazy. There's nothing about what Manning or Snowden did that should have set off alarm bells during the clearance process. They were people who loved America and then realized that the government was secretly doing things that they believed to be fundamentally anti-American, and they set out to try to fix that by alerting the public. That's pretty damn different than going someplace and shooting it up.

These are both subtle ways in which the press is trying to smear Snowden and Manning, by lumping them in with crimes of which they are not guilty.

from the also,-you-will-fall-victim-to-phishing dept

Post sponsored by

Every year, Verizon releases a fairly detailed report looking into data breaches, and the recent release on the 2013 report is quite interesting, highlighting how much state-sponsored attacks are the root cause of data breaches. Not surprisingly, there's a strong correlation between that and espionage (rather than direct financial benefit) being the main reason for the attacks. And, also not surprising: China is a major source of these attacks. However, one thing the study does make clear is that for all the people who claim that insiders are the biggest threat, that's less and less likely true, at least on a pure numbers basis. Insiders may be able to do more direct damage per breach, but it seems clear that in terms of sheer numbers of attacks, it's all about outsider attacks these days. There's actually been a pretty noticeable shift on this front over the past few years:

The report is actually fairly entertaining and quite readable. It does note that the rise in data on state-sponsored attacks might not be due to an actual increase in those attacks, but better data and better evidence collection -- but either way, it does appear that China continues to be a pretty big threat when it comes to outside attacks for espionage purposes. On the financial side, it's apparently all about Romania.

Separately, there's a fantastic chart that lays out three major types of attackers, who they target and how they generally do what they do. It's a pretty handy chart for understanding the overall layout of data breaches and how they normally occur:

I'm actually somewhat surprised that phishing isn't used more often across all types, as the report also notes that phishing is astoundingly effective:

We try to avoid rolling out scary memes like “you will be compromised,” but when it comes to phishing attacks, that’s exactly what the data tells us.
Phishing e-mails vary in quality, payload, and purpose, but they all share the same initial goal: get the user to take action. Getting the user
to click (on a link or attachment) is the first obstacle for all phishing campaigns. So how many e-mails would it take to get one click?

[....] It’s pretty easy to see why this is
a favored attack for espionage campaigns and the answer to our question is “three.” Running a campaign with just three e-mails gives the attacker a better than 50% chance
of getting at least one click. Run that campaign twice and that probability goes up to 80%, and sending 10 phishing e-mails approaches the point where most attackers would be able to slap a “guaranteed” sticker on getting
a click. To add some urgency to this, about half of the clicks occur within 12 hours of the phishing e-mail being sent.

That said, the report notes that merely getting a click doesn't mean the person will put in their information, or create a true compromise, but it is somewhat astounding nonetheless.

The report also notes what a disaster it is that we still use one-factor passwords (i.e. typical passwords) for most things, rather than (at the very least) two-factor authentication, noting that this would kill off 80% of successful hacks.

Another interesting point in all of this is that the researchers note they've seen no evidence that attackers are targeting cloud-based services over in-house ones. It's not that there aren't attacks on cloud services, it's just that it doesn't seem like a clear thing that attackers focus on. Of course, a separate research report notes just how much investment is going into the enterprise cloud these days, so I'm guessing that cloud providers are going to become increasingly large targets. While they may have stronger security, breaking in will probably be so valuable to attackers that it'll be worth attacking that stronger fortress.

And, finally, if you want to be scared about how many of these attacks have probably gone on and aren't known about yet, well, the end of the report is not particularly comforting. It notes that, from the data the researchers are using, it shows that initial attacks happen pretty quickly (within a few hours, which is up from minutes a few years ago, but still relatively quick), and getting data out comes pretty soon after that. But (and here's the scary part) actually having those breaches noticed? That doesn't happen for months and more often than not happens because another outsider discovers it, rather than an insider or an internal system raising the alarm.

In about a third of those cases, the "outsider" is a totally unrelated party, but in 9% of cases, it's a customer who discovers the data breach. That can't be good for customer confidence.

There's a lot more data in the report, and it's well worth reading. However, as we've been talking so much lately about privacy and security when it comes to governments -- mainly with a focus on activities by intelligence agencies in the US and other allies -- it's worth nothing other forms of attacks as well, and the trends related to them. The growth of attacks that are really a form of espionage, rather than just organized crime, seems like a noteworthy, if not all that surprising, finding.